Third party cyber attacks – what can data subjects claim?
In a recent case management application, the High Court has considered the limits of data subject’s remedies against a data controller following a cyber attack by third party. The outcome of this decision will be welcomed by data controllers, as three of the four causes of action that the claimant sought to rely on (misuse of private information (“MPI”), breach of confidence (“BoC”) and common law negligence) were struck out. The MPI and BoC claims failed because it required the controller to take some positive action to misuse the data, which did not happen. And the common law negligence claim failed because no duty of care was owed by the controller to the data subject. The only option left now for the claimant is to allege breach of the Data Protection Act 1998 (the “DPA”) (the breach in question took place before GDPR).
DSG Retail Ltd (“DSG”) operates various consumer facing technology retail brands in the UK. Between July 2017 and April 2018, DSG was the victim of a cyber-attack where third party criminals deployed malware on almost 6000 point of sales terminals in DSG stores (the “Attack”). As a result of the Attack, the attackers were able to access the personal data of many of DSG’s customers, including payment card information. The Attack was investigated by the Information Commissioner who found that DSG had breached its duty to apply the seventh data protection principle (“DPP7”) regarding the use of technical and organisational security measures. The Information Commissioner issued a Monetary Penalty Notice in the amount of £500,000 in January 2020, which DSG is in the process of appealing.
The claimant was a customer of DSG who alleged that, as a result of the Attack, his personal information was compromised causing him to suffer distress. He brought a claim against DSG for £5,000. The subject of this judgment concerns the summary judgment application made by DSG in relation to the MPI, BoC and common law negligence claims (DSG accepted that the claim for the breach of DPP7 could in principle proceed to full trial).
DSG’s main arguments were that:
- the alleged breach constituted a failure by DSG to keep the personal data secure from unauthorised third party access by an external, third-party attacker;
- in law, this cannot satisfy the tests for BoC or MPI claims. This is because those causes of action require the defendant to have committed some positive wrongful action (e.g. disclosing the data) and no such action took place in relation to the Attack; and
- in line with previous authorities, where duties apply under the DPA, there is no need to bring an action in negligence as this would duplicate the DPA claim.
The claimant conceded the BoC claim was not tenable, but in respect of the other claims asserted that:
- the MPI claim had a reasonable prospect of success. The information was private in nature, and it was argued that MPC covers not only covers the disclosure of private information but also the intrusion of privacy and how such privacy in such information is lost. As DSG were aware of certain deficiencies in their system from as early as 2014 and failed to remedy these, it followed that DSG left the claimant exposed to a real risk of privacy intrusion that was “tantamount to publication”. Further there was not authority supporting the “positive wrongful action” requirement; and
- the claim in negligence would substantively add to the action and would be helpful in informing the judicial consideration of whether the security measures were appropriate for the purposes of DPP7.
The judge held that there was a requirement for positive wrongful conduct in order for the MPI claim to succeed, there had not been any such conduct and so the MPI claim had no reasonable prospect of success. Neither BoC nor MPI impose a data security duty on holders of information, and that this would only arise if there was a special relationship between the parties giving rise to a duty of care.
The judge dismissed the claim in negligence for two reasons. First, there was no need to bring a duplicative action in negligence when the statutory duties under DPP7 already applied. Imposing a duty owed generally to those affected by a data breach would be too broad, giving a potentially unquantifiable liability for a controller in respect of an indeterminable number of data subjects. Second, the loss being claimed was for distress and this did not constitute sufficient damage for negligence claim. Some evidence of a recognisable psychiatric illness or pecuniary loss would have been required, neither of which was pleaded.
DSG did not seek to strike out the claim for breach of statutory duty relating to DPP7 and the parties will proceed to trial on this issue. But the court ordered this to be stayed under after the determination of DSG’s appeal against the Information Commissioner’s MPN.
Although this was a summary judgment/strikeout application, the judgment is a good summary of the principles and a helpful restatement of the law in this area. There is some recognition in the judgment that there were “manifest deficiencies” in the claim as pleaded, but it seems unlikely that a pleading without these deficiencies would have materially affected the outcome. The judge at one point summed up the Claimant’s MPI position by using the following analogy:
“If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a “misuse of private information” by me. Recharacterizing my failure to lock the window as a “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI”.
The position on the elements required to make out a successful MPI or BoC claim is clear, and aligns with various previously decided cases on similar issues. For example in Various Claimants v Wm Morrison Supermarkets plc, where MPI and BoC claims were unsuccessful against a controller following the illegal disclosure of Morrison’s employee data by a rogue employee for broadly the same reasons.
The decision has another important result. The Jackson reforms limited the recoverability of success fees and ATE insurance premiums, but there was a carve-out for publication and privacy proceedings. Such proceedings include MPI and BoC claims, but do not include claims for breach of data protection legislation. It has long been a point of commercial pressure for claimants in such claims to notify the defendant that ATE insurance has been obtained, and that this will be recoverable from the defendant; given the typical value of these claims, the potential for an ATE premium to also be recoverable was an important additional risk factor for defendants. This decision at the very least casts significant doubt on the recoverability of ATE premiums for claimants seeking to bring claims following data breaches.
The decision will doubtless be welcomed by many companies, as it limits the causes of action that may be successfully brought in litigation following on from a third party induced data breach.
(Co-authored by Paul Glass, James Parker and Abigail Saffron)
Content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar outcomes. For more information, please visit: www.bakermckenzie.com/en/disclaimers.